FIPS Validation: Difference between revisions
| Line 116: | Line 116: | ||
== Testing Lab == | == Testing Lab == | ||
[http://www. | [http://www.saic.com/infosec/testing-accreditation/ SAIC ] | ||
== FIPS 140 Information == | == FIPS 140 Information == | ||
Revision as of 18:43, 16 November 2011
NSS FIPS 140 validation
Softoken is a component of NSS, and has a separate version number. The most recent FIPS validated Softoken is 3.12.4 and is in NSS 3.12.4 and NSS 3.12.5 and NSS 3.12.6. Binaries are available | here.
NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, 2007 and 2009. View | NSS FIPS validation history here. View the FIPS2009 validation here.
This page documents our current NSS FIPS 140 validation.
Updates
April 2010 NSS Softoken has finished its validation NSS Certs
Platforms for 2011
- Level 1
- RHEL 6 x86 32 bit (no AES-NI)
- RHEL 6 x86 64 bit
Algorithms
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.
| Algorithms | Key Size | Modes | Certificates |
|---|---|---|---|
| TripleDES | KO 1,2,3 (56,112,168) |
TECB(e/d; KO 1,2,3) |
Pending] |
| AES | 128/192/256 |
ECB(e/d; 128,192,256) |
Pending |
| SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512) |
SHA-1 (BYTE-only) |
N/A |
Pending |
| HMAC |
HMAC-SHA1, HMAC-SHA256, |
KeySize < BlockSize, |
Pending |
| DRBG | N/A |
Hash_DRBG of NIST SP 800-90 |
Pending |
| DSA | 512-1024 |
PQG(gen)MOD(1024); |
Pending |
| RSA | 1024-8192 |
ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver); |
Pending |
| ECDSA
(Extended ECC) |
163-571 |
PKG: CURVES( ALL-P ALL-K ALL-B ); |
Not In 2011 Validation |
| ECDSA
(Basic ECC) |
256-521 |
PKG: CURVES( ALL-P P-256 P-384 P-521 ); |
Not In 2011 Validation |
Dependant Bugs
| Bug | Description | Completed |
|---|---|---|
Testing Lab
FIPS 140 Information
NIST Cryptographic Module Validation Program
NSS FIPS 140-2 Validation Docs
NSS FIPS 140-2 Validation Docs
FIPS 140-2 Derived Test Requirements (DTR)
FIPS 140-2 Derived Test Requirements (DTR)
Vendor Information
NSS is actively supported and maintained by the following corporations:
Sun Microsystems, Inc.: http://www.sun.com/contact/
Red Hat, Inc.: http://www.redhat.com/about/contact/
Mozilla Foundation, Inc.: http://www.mozilla.org/contact/
Schedule
| Milestone | Item | Deps | Time | Who | Completed |
|---|---|---|---|---|---|
| M1 | Initial Setup | ||||
| 1a | Choose validation Lab, approve costs, and sign NDA | all | all | Atlan | |
| 1d | Define Algorithms, Key Sizes and modes | ||||
| M2 | Complete NSS 3.12 FIPS dependant bugs | ||||
| M3 | Update documentation (numbers in parentheses refer to sections in FIPS documentation) | ||||
| 3a. | (1.0) Security policy, new algorithms | 1d | 2 wks | all | |
| 3b. | Generate annotated source tree (LXR -> HTML) | M2 | |||
| 3c. | (2.0) Finite State Machine | 3b | 3 wks | ||
| 3d. | (3.0/4.0) Cryptographic Module Definition | 3b | 2 wks | ||
| 3e. | (6.0) Software Security (rules-to-code map) | 3b | 2 wks | ||
| 3f. | (8.0) Key Management Generate 20K random #'s | 1 day | |||
| 3g. | (9.0) Cryptographic Algs | 3a | 3 days | ||
| 3h. | (10.0) Operational Test Plan | 1 day | |||
| 3i. | Document architectural changes between 3.2 and 3.11 | 5 days | |||
| M4 | Send docs to testing lab | ||||
| 4a. | Security Policy | all | |||
| 4b. | Finite State Machine | 3c | |||
| 4c. | Module Def. / rules-to-code | 3d,3e | |||
| M5 | Operational validation | ||||
| 5a. | Algorithm testing | 1 month | |||
| 5b. | Operational testing | 3h | 1 week | ||
| 5c | set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) | ||||
| M6 | Internal QA of docs | M2-M5 | 1 week | all | |
| M7 | Communication between NSS team / Lab / NIST about status of validation / algorithm certificates | M1-5 | 3-6 mos | all |